Hope this is the right place for this, if not please move to podman or selinux-policy or whatever. In enforcing mode a rawhide install isn't able to run bash in a container: ~ sudo podman run --rm=true -it --user root --dns=10.88.0.1 registry.fedoraproject.org/fedora:rawhide ~ avcs: type=AVC msg=audit(1532316535.593:373): avc: denied { read write } for pid=19075 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c313,c937 tcontext=system_u:object_r:container_file_t:s0:c313,c937 tclass=chr_file permissive=0 type=AVC msg=audit(1532316535.594:374): avc: denied { read write } for pid=19075 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c313,c937 tcontext=system_u:object_r:container_file_t:s0:c313,c937 tclass=chr_file permissive=0 type=AVC msg=audit(1532316535.594:375): avc: denied { read write } for pid=19075 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c313,c937 tcontext=system_u:object_r:container_file_t:s0:c313,c937 tclass=chr_file permissive=0 type=AVC msg=audit(1532316535.594:376): avc: denied { read write } for pid=19075 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c313,c937 tcontext=system_u:object_r:container_file_t:s0:c313,c937 tclass=chr_file permissive=0 type=AVC msg=audit(1532316535.594:377): avc: denied { map } for pid=19075 comm="bash" path="/usr/bin/bash" dev="dm-1" ino=1980162 scontext=system_u:system_r:container_t:s0:c313,c937 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 Happy to gather more info or test fixes.
Could you make sure container-selinux installed correctly? yum reinstall container-selinux
Oops, sorry. I forgot to mention that this is on a ostree boot. So I cannot re-install here (and due to bug 1607223, rpm-ostree overlay doesn't work). I do see verify shows a few things, but only timestamps: # rpm -V container-selinux .......T. d /usr/share/doc/container-selinux/README.md .......T. /usr/share/selinux/devel/include/services/container.if .......T. /usr/share/selinux/packages/container.pp.bz2 I can boot a normal install and see how it does there in a bit here.
ok, in a normal boot it works. So, it's something particular to the ostree install it seems.
container-selinux-2.69-1.git452b90d.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d
container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d
container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.